German cyber, FedRAMP, and CMMC.
How DACH cyber and cloud firms sequence FedRAMP authorisation, CMMC alignment, and US federal market entry.
Read the pillar →
The US Department of Defense certification framework for contractors and subcontractors handling Federal Contract Information or Controlled Unclassified Information.
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense framework requiring contractors and subcontractors in the Defense Industrial Base to meet specified cybersecurity requirements before being awarded contracts that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The current iteration, CMMC 2.0, was announced in 2021 and finalised in October 2024, with phased implementation through DOD contract clauses beginning in 2025 and continuing through 2028.
CMMC 2.0 establishes three certification levels. Level 1, Foundational, requires implementation of 17 basic safeguarding practices drawn from FAR 52.204-21 and applies to contractors handling only FCI; assessment is by annual self-attestation. Level 2, Advanced, requires implementation of the 110 security practices in NIST SP 800-171 Rev 2 and applies to contractors handling CUI; for prioritised acquisitions, third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required, with self-assessment permitted in narrower cases. Level 3, Expert, layers an additional 24 practices from NIST SP 800-172 onto the Level 2 baseline and is reserved for the most sensitive CUI; assessment is conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
CMMC is implemented in DOD contracts through DFARS 252.204-7021. The clause replaces the prior reliance on contractor self-attestation under DFARS 252.204-7012 with an independent assessment regime tied to certification level. Contractors that flow CUI to subcontractors must impose corresponding CMMC requirements down the supply chain. Certification is valid for three years, with annual affirmations of continued compliance.
For internationally-headquartered firms supplying the US Defense Industrial Base, directly or as a subcontractor, CMMC is the operational gate. Foreign primes and sub-tier suppliers handling CUI need a certified compliance environment, often including US-based managed service providers, US-cleared personnel for specific roles, and a System Security Plan that maps to NIST SP 800-171 Rev 2. The certification timeline runs typically nine to fifteen months including remediation. Foreign firms also face supply-chain provenance scrutiny under interlocking authorities, including FAR Part 9 responsibility determination and DFARS 252.225 domestic-source preferences.
CMMC interlocks with FedRAMP for cloud-delivered services and with ITAR and EAR controls when defense articles or technical data are involved. Further reading on the corridor architecture: German cyber, FedRAMP, and CMMC and cross-border defense and dual-use technology in US procurement.
How DACH cyber and cloud firms sequence FedRAMP authorisation, CMMC alignment, and US federal market entry.
Read the pillar →How foreign defense and dual-use firms approach US procurement under ITAR, EAR, and DFARS overlays.
Read the pillar →The RFP architecture US federal procurement reads on, and what foreign suppliers rebuild before responding.
Read the pillar →